Update keycloak.version to v24 (major)
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
org.keycloak:keycloak-server-spi-private (source) | provided | major |
20.0.5 -> 24.0.4
|
org.keycloak:keycloak-services (source) | provided | major |
20.0.5 -> 24.0.4
|
org.keycloak:keycloak-server-spi (source) | provided | major |
20.0.5 -> 24.0.4
|
org.keycloak:keycloak-core (source) | provided | major |
20.0.5 -> 24.0.4
|
Release Notes
keycloak/keycloak (org.keycloak:keycloak-server-spi-private)
v24.0.4
Highlights
Partial update to user attributes when updating users through the Admin User API is no longer supported
When updating user attributes through the Admin User API, you cannot execute partial updates when updating the
user attributes, including the root attributes like username
, email
, firstName
, and lastName
.
For more details, see the Upgrading Guide.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #27508 Use new remote-store options in HA guides
- #28429 Add details to error messages, especially around refresh tokens
-
#28729 Emphasize the need for setting container limit
docs
-
#28880 Upgrade to Quarkus 3.8.4
dist/quarkus
-
#29183 Minor corrections to High Availability Guide
docs
Bugs
-
#16345 Unable to delete realm names with invalid URL characters
admin/api
-
#22617 kc export fails when using User Federation (LDAP) with file-based Vault enabled
import-export
-
#24568 iframe for frontend logout gets blocked if a custom CSP header is used
core
-
#24878 NoClassDefFoundError for Apache XML and EAP8
adapter/jee-saml
-
#27021 Workflow failure: Fuse adapter tests
ci
-
#27080 Workflow failure: Operator CI - KeycloakTruststoresTests#testTrustroreExists
ci
-
#27514 Uncaught server error: java.lang.IllegalArgumentException: Path parameter not provided
oidc
-
#28079 Group search does not work in user view
admin/ui
-
#28187 Admin UI drag & drop in flow config seems to delete actions
admin/ui
-
#28220 Admin API: User PUT operation clears firstname, lastname email fields
admin/api
-
#28303 WARN - Event object wasn't available in remote cache after event was received
infinispan
-
#28377 Broken lists in import/export server guide
docs
-
#28431 Dedicated client scopes always show up when searching
admin/ui
-
#28514 Message for searchClientRegistration is missing
admin/ui
-
#28666 Accessing a transient (lightweight) user through client session fails in admin-api/-ui
admin/ui
-
#28684 "Extend to children" button in authorization group policies is wrongly disabled
admin/ui
-
#28911 clients_saml_test.spec.ts fails in main
admin/ui
-
#29072 Startup probe should check for existence of an Admin user before returning 200
dist/quarkus
-
#29094 Fix the client name help grammatical error
admin/ui
-
#29133 DuplicateEmailValidator causes two DB queries on every login if a user has an email address
core
-
#29147 local user login not possible after LDAP connection problem
ldap
-
#29154 Update docs to distinguish between product names and CR names
docs
-
#29233 Broken link in documentation
docs
v24.0.3
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
-
#26695 Keycloak and MSAD: enabling account in MSAD does not propagate to Keycloak
ldap
Bugs
-
#24201 Cannot disable LDAP-backed user if importEnabled=false
ldap
-
#28100 Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null
identity-brokering
-
#28248 Update user makes User ID changes when federationLink and LDAP_ID is not set properly
admin/api
-
#28335 The false option of the pkceMethod init parameter for the JavaScript adapter is ignored
adapter/javascript
-
#28638 Missing permission to read configmaps in `keycloak-operator-role`
operator
v24.0.2
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
-
#25057 Inconsistent behaviour on getting user permissions using authorization
authorization-services
-
#27433 Clarify format of keys in `additionalOptions` field in the Keycloak CR
docs
- #27481 Edit High Availability guide
- #27484 Edit 23.0 changes part of Upgrading Guide
- #27632 Integrate downstream Upgrading Guide changes into upstream
-
#27696 Upgrade to Quarkus 3.8.2
dist/quarkus
- #27867 Corrections to Securing Apps Guide
-
#27871 Upgrade to Infinispan 14.0.26
core
-
#27953 Address feedback to Keycloak Server guide
docs
-
#27955 Address term Keycloak in Server Administration Guide
docs
- #28009 Address edits to the Operator Guide
- #28033 Upgrade Infinispan to 14.0.27.Final
-
#28084 Upgrade to Quarkus 3.8.3
dist/quarkus
Bugs
-
#14501 Getting failed to initialize js message if consent is rejected by user
account/ui
-
#15403 No email send on TOTP/Authenticator app removal
core
-
#20637 Reset password flow fails with "Page has expired" error when Kerberos authentication is enabled in the browser flow
authentication
-
#22644 Flaky test: org.keycloak.testsuite.forms.BrowserFlowTest#testAlternativeNonInteractiveExecutorInSubflow
core
-
#23701 Attribute search does not work with federated users with ldap.
admin/ui
-
#23980 Keycloak Operator fails to install realm authentication flow because "flow is null"
import-export
-
#25490 Partial export/import is not mentioned in Keycloak's Server Administration Guide
docs
-
#25687 A java.lang.NullPointerException occurs when sending a Multipart/form-data request to any file upload interface.
admin/api
-
#26396 How do you update a custom user storage provider jar that includes a version number?
dist/quarkus
-
#27117 user sessions not accessible in all cluster nodes
infinispan
-
#27180 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" openid-connect/token service endpoint is returning refresh token with invalid Expiration
authorization-services
-
#27228 Lowercased "terms_and_conditions" is not migrated in fed_user_required_action table
core
-
#27245 Account console does not correctly treat link / unlink account
account/ui
-
#27269 mvnw clean install -Pdistribution on Windows deletes necessary files during clean of org.keycloak:keycloak-admin-ui
admin/ui
-
#27275 Invalidating offline token is not working from client sessions tab
authentication
-
#27366 Social login - test failures with unexpected status code
testsuite
-
#27483 Authz-client AuthorizationResource.getPermissions() ClassCastException
authorization-services
-
#27504 Cpu and memory sizing typo
docs
-
#27529 LegacyUserCredentialManager class not found
storage
-
#27540 URL change for liquibase docs
docs
-
#27548 Custom Browser Flow not working anymore
admin/ui
-
#27573 Release notes from 24.0.0 miss that multi-site active-passive deployments are supported
docs
-
#27597 dropping KC_PROXY=edge causes startup error
core
-
#27611 Cannot modify realm email settings since keycloak 24
user-profile
-
#27653 Admin tests: Flaky realm_settings_user_profile_enabled test
admin/ui
-
#27701 MTLS Cache options should be runtime options, not build time options
dist/quarkus
-
#27719 Wrong Welcome page image in the documentation
docs
-
#27745 Registration template in login2 is broken
login/ui
-
#27761 Snyk workflow failure
ci
-
#27779 Broken Migration "MigrateTo24_0_0"
core
-
#27780 Fixing downstream documentation build
docs
-
#27797 User profile fields cannot be set empty once they have a non-empty value (in Login Theme)
user-profile
-
#27820 Account console confusing with WebAuthn
account/ui
-
#27841 ES translation causes FreeMarker rendering issues
translations
-
#27852 VerifyUserProfile invalidates user cache on every login
core
-
#27878 Error when executing refresh grant, with scope param, without offline_access scope specified
oidc
-
#27882 Incorrect version of bctls-fips in the docs
docs
-
#27892 Truststore handling for the Operator is not documented
operator
-
#27894 Multi datasource configuration does not work in Keycloak 24.0.1
dist/quarkus
-
#27900 Performance impact in changed hashing measured wrong
authentication
-
#27925 Keycloak docs state that there are http metrics, but they are disabled
docs
-
#27954 Hibernate Dialect detection does not work anymore for Oracle DBs
storage
-
#27966
🍺 instead of dot: Attributes in account UI are not loadeduser-profile
-
#27967 ORA-01450 when updating keycloak 23 -> 24
storage
-
#27981 User Profile: Inconsistent ordering of attributes between account and login themes
user-profile
-
#28001 MySQL connector artifact should be ignored
dist/quarkus
-
#28012 Keycloak CR Truststore should not have a name
operator
-
#28113 WebAuthN registration broken after upgrading to 24.0.1
authentication/webauthn
v24.0.1
Highlights
Operator deploys nightly build instead of 24.0.0
Due to an issue in the release process when deploying Keycloak using the Operator it installed the nightly
container
instead of 24.0.0
.
As a quick fix to the issue, the 24.0.0
container was tagged with nightly
, and the nightly
releases was temporarily
disabled.
If you installed or upgraded to 24.0.0
using the Operator before 5pm CET yesterday the database may have been updated
with the wrong versions. To check if you are affected connect to your database and run the following SQL command:
SELECT * from migration_model WHERE version = '999.0.0';
If the above returns a matching row you will need to take some actions, otherwise database migrations will not run for future releases. To resolve this run the following SQL command:
UPDATE migration_model SET version = '24.0.0' WHERE version = '999.0.0';
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
v24.0.0
Highlights
Supported user profile and progressive profiling
The user profile preview feature is promoted to be fully supported and user profile is enabled by default.
In the past months, the Keycloak team spent a huge amount of effort in polishing the user profile feature to make it fully supported. In this release, we continued the effort. Lots of improvements, fixes and polishing were done based on the thorough testing and feedback from our awesome community.
The following are a few highlights of this feature;
-
Fine-grained control over the attributes that users and administrators can manage so that you can prevent unexpected attributes and values from being set.
-
Ability to specify what user attributes are managed and should be displayed on the forms to regular users or administrators.
-
Dynamic forms - Previously, the forms where users created or updated their profiles, contain four basic attributes like username, email, first name and last name. The addition of any attributes (or removing some default attributes) required you to create a custom theme. Now custom themes may not be needed because users see exactly the requested attributes based on the requirement of the particular deployment.
-
Validations - Ability to specify validators for the user attributes including built-in validators that you can use to specify a maximum or minimum length, a specific regex, or limiting a particular attribute to be a URL or number.
-
Annotations - Ability to specify that particular attribute should be rendered for instance as a text area, an HTML select with specified options, or calendar or many other options. You can also bind JavaScript code to a specific field to change how an attribute is rendered and customize its behavior.
-
Progressive profiling - Ability to specify that some fields are required or available on the forms just for particular values of
scope
parameter. This effectively allow progressive profiling. You no longer need to ask the user for twenty attributes during registration; you can instead ask the user to fill in attributes incrementally according to the requirements of the individual client applications that are used by the user. -
Migration from previous versions - The user profile is now always enabled, but it operates as before for those who did not use this feature. You can benefit from the user profile capabilities, but you are not required to use them. For migration instructions, see the Upgrading Guide.
The first release of the user profile as a supported feature is just the starting point and the baseline for delivering many more capabilities around identity management.
We would like to give huge thanks to the awesome Keycloak community as lots of ideas, requirements and contributions came from the community! Special thanks to:
For more details about user profile capabilities, see the Server Administration Guide.
Breaking changes to the User Profile SPI
In this release, changes to the User Profile SPI might impact existing implementations based on this SPI. For more details, see the Upgrading Guide.
Changes to Freemarker templates to render pages based on the user profile and realm
In this release, the following templates were updated to make it possible to dynamically render attributes based on the user profile configuration set to a realm:
-
login-update-profile.ftl
-
register.ftl
-
update-email.ftl
For more details, see the Upgrading Guide.
New Freemarker template for the update profile page at first login through a broker
In this release, the server renders the update profile page when the user is authenticating through a broker for the
first time using the idp-review-user-profile.ftl
template.
For more details, see the Upgrading Guide.
Java adapter deprecation and removal
Back in 2022 we announced the deprecation of Keycloak adapters in Keycloak 19. To give the community more time to adopt this was delayed.
With that in mind, this will be the last major release of Keycloak to include OpenID Connect and SAML adapters. As Jetty 9.x has not been supported since 2022 the Jetty adapter has been removed already in this release.
The generic Authorization Client library will continue to be supported, and aims to be used in combination with any other OAuth 2.0 or OpenID Connect libraries.
The only adapter we will continue to deliver is the SAML adapter for latest releases of WildFly and EAP 8.x. Reasoning for continuing to support this is down to the fact that the majority of the SAML codebase in Keycloak was a contribution from WildFly. As part of this contribution we agreed to maintain SAML adapters for WildFly and EAP in the long run.
Jetty adapter removed
Jetty 9.4 has not been supported in the community for a long time, and reached end-of-life in 2022. At the same time the adapter has not been updated or tested with more recent versions of Jetty. For these reasons the Jetty adapter has been removed from this release.
New Welcome Page
The 'welcome' page that appears at the first use of Keycloak is redesigned. It provides a better setup experience and conforms to the latest version of PatternFly. The simplified page layout includes only a form to register the first administrative user. After completing the registration, the user is sent directly to the Admin Console.
If you use a custom theme, you may need to update it to support the new welcome page. For details, see the Upgrading Guide.
New Account Console now the default
We introduced version 3 of the Account Console in Keycloak 22 as a preview feature. In this release, we are making it the default version, and deprecating version 2 in the process, which will be removed in a subsequent release.
This new version has built-in support for the user profile feature, which allows administrators to configure which attributes are available to users in the Account Console, and lands a user directly on their personal account page after logging in.
If you are using or extending the customization features of this theme, you may need to perform additional migrations. For more details, see the Upgrading Guide.
Keycloak JS
exports
field in package.json
Using The Keycloak JS adapter now uses the exports
field in its package.json
. This change improves support for more modern bundlers like Webpack 5 and Vite, but comes with some unavoidable breaking changes. See the Upgrading Guide for more details.
PKCE enabled by default
The Keycloak JS adapter now sets the pkceMethod
option to S256
by default. This change enables Proof Key Code Exchange (PKCE) for all applications using the adapter. If you use the adapter on a system that does not support PKCE, you can set the pkceMethod
option to false
to disable it.
Changes to Password Hashing
In this release, we adapted the password hashing defaults to match the OWASP recommendations for Password Storage.
As part of this change, the default password hashing provider has changed from pbkdf2-sha256
to pbkdf2-sha512
.
Also, the number of default hash iterations for pbkdf2
based password hashing algorithms changed. This change means better security aligned with latest recommendations, but
it has impact on performance. It is possible to stick to the old behaviour by adding password policies hashAlgorithm
and hashIterations
to your realm. For more details, see the Upgrading Guide.
OAuth/OIDC related improvements
Lightweight access tokens support
This release contains support for Lightweight access tokens. As a result, you can have smaller access tokens for specified clients. These tokens have only a few claims, which is why they are smaller. Note that lightweight access token is still JWT signed by the realm key by default and still contains some very basic claims.
This release introduces an Add to lightweight access token flag that is available on some OIDC protocol mappers. Use this flag to specify if a particular claim should be added to a lightweight access token. It is OFF by default, which means that most claims are not added.
Also, a client policy executor exists. Use it to specify if a particular client request should use lightweight access tokens or regular access tokens. An alternative to the executor is to use an Always use lightweight access token flag on client advanced settings, which causes that client to always use lightweight access tokens. An executor can be an alternative if you need more flexibility. For instance, you may choose to use lightweight access tokens by default but use regular tokens only for the specified scope parameter.
A previous release added an Add to token introspection switch. You use it to add claims that are not present in the access token into the introspection endpoint response.
Thanks to Shigeyuki Kabano for the contribution and Thanks to Takashi Norimatsu for a help and review of this feature.
OAuth 2.1 support
This release contains optional OAuth 2.1 support. New client policy profiles were introduced in this release, which administrators can use to make sure that clients and particular client requests comply with the OAuth 2.1 specification. A dedicated client profile exists for confidential clients and a dedicated profile for public clients. Thanks to Takashi Norimatsu and Shigeyuki Kabano for the contribution.
Scope parameter supported in the refresh token flow
Starting with this release, the scope parameter in the OAuth2/OIDC endpoint for token refresh is supported. Use this parameter to request access tokens with a smaller amount of scopes than originally granted, which means you cannot increase access token scope. This scope limitation does not affect the scope of the refreshed refresh token. This function works as described in the OAuth2 specification. Thanks to Konstantinos Georgilakis for the contribution.
Client policy executor for secure redirect URIs
A new client policy executor secure-redirect-uris-enforcer
is introduced. Use it to restrict which redirect URIs can be used by the clients. For instance,
you can specify that client redirect URIs cannot have wildcards, should be just from specific domain, must be OAuth 2.1 compliant, and so on.
Thanks to Lex Cao and Takashi Norimatsu for the contribution.
Client policy executor for enforcing DPoP
A new client policy executor dpop-bind-enforcer
is introduced. You can use it to enforce DPoP for a particular client if dpop
preview
is enabled.
Thanks to Takashi Norimatsu for the contribution.
Supporting EdDSA
You can create EdDSA realm keys and use them as signature algorithms for various clients. For instance, you can use these keys to sign tokens or for client authentication with signed JWT.
This feature includes identity brokering where Keycloak itself signs client assertions that are used for private_key_jwt
authentication to third party identity providers.
Thanks to
Takashi Norimatsu and Muhammad Zakwan Bin Mohd Zahid for the contribution.
EC Keys supported by JavaKeystore provider
The provider JavaKeystoreProvider
for providing realm keys now supports EC keys in addition to previously supported RSA keys.
Thanks to Stefan Wiedemann for the contribution.
Option to add X509 thumbprint to JWT when using private_key_jwt authentication for identity providers
OIDC identity providers now have the Add X.509 Headers to the JWT option for the situation when client authentication with JWT signed by private key is used. This option can be useful for interoperability with some identity providers such as Azure AD, which require the thumbprint to be present on the JWT. Thanks to MT for the contribution.
OAuth Grant Type SPI
The Keycloak codebase includes an internal update to introduce the OAuth Grant Type SPI. This update allows additional flexibility when introducing custom grant types supported by the Keycloak OAuth 2 token endpoint. Thanks to Dmitry Telegin for the contribution.
CORS improvements
The CORS related Keycloak functionality was extracted into the SPI, which can allow additional flexibility. Note that CorsSPI
is internal and may change at a future release.
Thanks to Dmitry Telegin for the contribution.
Truststore improvements
Keycloak introduces improved truststores configuration options. The Keycloak truststore is now used across the server, including outgoing connections, mTLS, and database drivers. You no longer need to configure separate truststores for individual areas. To configure the truststore, you can put your truststores files or certificates in the default conf/truststores
, or use the new truststore-paths
config option. For details refer to the relevant guide.
Versioned Features
Features now support versioning. To preserve backward compatibility, all existing features (including account2
and account3
) are marked as version 1. Newly introduced features will use versioning, which means that users can select between different implementations of desired features.
For details refer to the features guide.
Keycloak CR Truststores
You may also take advantage of the new server-side handling of truststores by using the Keycloak CR, for example:
spec:
truststores:
mystore:
secret:
name: mystore-secret
myotherstore:
secret:
name: myotherstore-secret
Currently only Secrets are supported.
Trust Kubernetes CA
The cert for the Kubernetes CA is added automatically to your Keycloak Pods managed by the Operator.
Automatic certificate management for SAML identity providers
The SAML identity providers can now be configured to automatically download the signing certificates from the IDP entity metadata descriptor endpoint. In order to use the new feature, configure the Metadata descriptor URL
option in the provider (the URL where the IDP metadata information with the certificates is published) and set Use metadata descriptor URL
to ON
. The certificates are automatically downloaded and cached in the public-key-storage
SPI from that URL. The certificates can also be reloaded or imported from the Admin Console, using the action combo in the provider page.
See the documentation for more details about the new options.
Non-blocking health check for load balancers
A new health check endpoint available at /lb-check
was added.
The execution is running in the event loop, which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue.
This behavior is useful, for example, in multi-site deployment to avoid failing over to another site that is under heavy load.
The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.
This endpoint is not available by default.
To enable it, run Keyloak with the multi-site
feature.
For more details, see Enabling and disabling features.
Keycloak CR Optimized Field
The Keycloak CR now includes an startOptimized
field, which may be used to override the default assumption about whether to use the --optimized
flag for the start command.
As a result, you can use the CR to configure build time options also when a custom Keycloak image is used.
Enhanced reverse proxy settings
It is now possible to separately enable parsing of either Forwarded
or X-Forwarded-*
headers by using the new --proxy-headers
option.
For details, see the Reverse Proxy Guide.
The original --proxy
option is now deprecated and will be removed in a future release. For migration instructions, see the Upgrading Guide.
Changes to the user representation in both Admin API and Account contexts
In this release, we are encapsulating the root user attributes (such as username
, email
, firstName
, lastName
, and locale
) by moving them to a base/abstract class in order to align how these attributes
are marshalled and unmarshalled when using both Admin and Account REST APIs.
This strategy provides consistency in how attributes are managed by clients and makes sure they conform to the user profile configuration set to a realm.
For more details, see the Upgrading Guide.
Sequential loading of offline sessions and remote sessions
Starting with this release, the first member of a Keycloak cluster will load remote sessions sequentially instead of in parallel. If offline session preloading is enabled, those will be loaded sequentially as well.
For more details, see the Upgrading Guide.
Performing actions on behalf of another already authenticated user is not longer possible
In this release, you can no longer perform actions such as email verification if the user is already authenticated and the action is bound to another user. For instance, a user can not complete the verification email flow if the email link is bound to a different account.
Changes to the email verification flow
In this release, if a user tries to follow the link to verify the email and the email was previously verified, a proper message will be shown.
In addition to that, a new error (EMAIL_ALREADY_VERIFIED
) event will be fired to indicate an attempt to verify an already verified email. You can
use this event to track possible attempts to hijack user accounts in case the link has leaked or to alert users if they do not recognize the action.
Deprecated offline session preloading
The default behavior of Keycloak is to load offline sessions on demand. The old behavior to preload them at startup is now deprecated, as pre-loading them at startup does not scale well with a growing number of sessions, and increases Keycloak memory usage. The old behavior will be removed in a future release.
For more details, see the Upgrading Guide.
Configuration option for offline session lifespan override in memory
To reduce memory requirements, we introduced a configuration option to shorten lifespan for offline sessions imported into the Infinispan caches. Currently, the offline session lifespan override is disabled by default.
For more details, see the Server Administration Guide.
Infinispan metrics use labels for cache manager and cache names
When enabling metrics for Keycloak8217;s embedded caches, the metrics now use labels for the cache manager and the cache names.
For more details, see the Upgrading Guide.
User attribute value length extension
As of this release, Keycloak supports storing and searching by user attribute values longer than 255 characters, which was previously a limitation.
For more details, see the Upgrading Guide.
Brute Force Protection changes
There have been a couple of enhancements to the Brute Protection:
-
When an attempt to authenticate with an OTP or Recovery Code fails due to Brute Force Protection the active Authentication Session is invalidated. Any further attempts to authenticate with that session will fail.
-
In previous versions of Keycloak, the administrator had to choose between disabling users temporarily or permanently due to a Brute Force attack on their accounts. The administrator can now permanently disable a user after a given number of temporary lockouts.
-
The property
failedLoginNotBefore
has been added to thebrute-force/users/{userId}
endpoint
Authorization Policy
In previous versions of Keycloak, when the last member of a User, Group or Client policy was deleted then that policy would also be deleted. Unfortunately this could lead to an escalation of privileges if the policy was used in an aggregate policy. To avoid privilege escalation the effect policies are no longer deleted and an administrator will need to update those policies.
Keycloak CR cache-config-file option
The Keycloak CR now allows for specifying the cache-config-file
option by using the cache
spec configMapFile
field, for example:
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: example-kc
spec:
...
cache:
configMapFile:
name: my-configmap
key: config.xml
Keycloak CR resources options
The Keycloak CR now allows for specifying the resources
options for managing compute resources for the Keycloak container.
It provides the ability to request and limit resources independently for the main Keycloak deployment via the Keycloak CR, and for the realm import Job via the Realm Import CR.
When no values are specified, the default requests
memory is set to 1700MiB
, and the limits
memory is set to 2GiB
.
You can specify your custom values based on your requirements as follows:
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: example-kc
spec:
...
resources:
requests:
cpu: 1200m
memory: 896Mi
limits:
cpu: 6
memory: 3Gi
For more details, see the Operator Advanced configuration.
Temporary lockout log replaced with event
There is now a new event USER_DISABLED_BY_TEMPORARY_LOCKOUT
when a user is temporarily locked out by the brute force protector.
The log with ID KC-SERVICES0053
has been removed as the new event offers the information in a structured form.
For more details, see the Upgrading Guide.
Updates to cookies
Cookie handling code has been refactored and improved, including a new Cookie Provider. This provides better consistency for cookies handled by Keycloak, and the ability to introduce configuration options around cookies if needed.
SAML User Attribute Mapper For NameID now suggests only valid NameID formats
User Attribute Mapper For NameID allowed setting Name ID Format
option to the following values:
-
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
-
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
-
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
-
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
However, Keycloak does not support receiving AuthnRequest
document with one of these NameIDPolicy
, therefore these
mappers would never be used. The supported options were updated to only include the following Name ID Formats:
-
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
-
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Different JVM memory settings when running in container
Instead of specifying hardcoded values for the initial and maximum heap size, Keycloak uses relative values to the total memory of a container.
The JVM options -Xms
, and -Xmx
were replaced by -XX:InitialRAMPercentage
, and -XX:MaxRAMPercentage
.
For more details, see the Running Keycloak in a container guide.
GELF log handler has been deprecated
With sunsetting of the underlying library providing integration with GELF, Keycloak will no longer support the GELF log handler out-of-the-box. This feature will be removed in a future release. If you require an external log management, consider using file log parsing.
Support for multi-site active-passive deployments
Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures. This release supports active-passive deployments for Keycloak.
To get started, use the High Availability Guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
-
#15190 RestAPI endpoint "send-verify-email" sending execute actions email template.
admin/api
-
#19586 @keycloak/keycloak-admin-client doesn't provide an ability to use optional client scope for access token
admin/client-js
-
#23539 User profile attributes should only accept a single value unless configured otherwise
user-profile
-
#25167 Implement POST logout in Keycloak JS
adapter/javascript
-
#25446 CORS SPI
oidc
-
#25676 Introduce new CLI config options for Infinispan remote store
dist/quarkus
-
#25702 Encrypt network communication in JGroups
dist/quarkus
- #25733 Update Route53 HA guide to be compatible with ROSA and Openshift 4.14.x
- #25903 Create new landing page for admin console
-
#25941 Issue Verifiable Credentials in the JWT-VC format
core
-
#26028 Remove conditional statements about Windows / Linux from the docs
docs
-
#26250 OAuth 2.0 Grant Type SPI
oidc
-
#26455 Supported option to specify maximum threads used to handle HTTP requests
dist/quarkus
-
#26456 Supported option to specify resource management for pods in Keycloak CR
dist/quarkus
-
#26458 Support custom Infinispan configuration file in Keycloak CR
operator
-
#26460 Supported option to specify site name for multi-site deployments
dist/quarkus
- #26500 Cookie Provider
- #26936 Support EC Key-Imports for the JavaKeystoreKeyProvider
- #27186 Meta description of admin-ui and account-ui cannot be changed in theme.properties
Enhancements
-
#9508 Rename "Resident key" to "Discoverable Credential"
docs
-
#9758 User attributes with a text more than 255 characters
storage
-
#9784 Add truststore options to Keycloak CR
operator
-
#10794 Support importing Kubernetes CA
operator
-
#12009 Support for scope parameter in the refresh flow
oidc
-
#12352 Align Operator config naming with Quarkus distribution
operator
-
#12946 Add X509 thumbprint to JWT when using private_key_jwt
oidc
-
#13250 --verbose option doesn't work in Quarkus distribution
dist/quarkus
-
#15000 Add EdDSA/Ed25519 to WebAuthn Signature algorithms
authentication/webauthn
-
#15714 Supporting EdDSA
oidc
-
#16629 Increase the default iterations for Pbdkdf2-256/512 to match the updated OWASP recommendations
authentication
- #17574 Add failedLoginNotBefore field to existing brute force detection status API
-
#17735 Admin-UI: Show realm display name in realm drop down instead of realm id if available
admin/ui
- #19190 Add "amr" to already implemented "acr" support
-
#19285 Disable Groovy Closures when bootstrapping Picocli
dist/quarkus
-
#20125 Role mapping tab no longer visible when using fine grained permissions after upgrade from 20.0.3 to 21.0.2
admin/ui
- #21074 Identity providers: pagination in admin console
-
#21343 Upgrade welcome theme to PatternFly 5
welcome/ui
- #21559 Provide raw OpenAPI specification alongside Keycloak Admin REST API html documentation
- #21578 Scope parameter in Oauth 2.0 token exchange
-
#21771 List reload button for admin panel
admin/ui
-
#22436 Query users by 'LDAP_ID' is not working
ldap
-
#22922 Use Infinispan BOM instead of direct Infinispan dependencies
storage
-
#23057 Localization tabs
admin/ui
- #23431 Allow user to select between `Forwarded` or `X-Forwarded-*` header
-
#23470 Docs: authorization_services/topics/service-authorization-obtaining-permission.adoc
authorization-services
-
#23854 Use upstream Quarkus functionality for non-blocking probes
dist/quarkus
-
#23878 User profile configuration scoped to user-federation provider
user-profile
-
#23896 Changes in declarative user profile should result in admin events
user-profile
-
#24094 Map Store Removal: Delete map profiles from testsuite
storage
-
#24097 Map Store Removal: Delete container providers that were added to the base testsuite
storage
-
#24102 Map Store Removal: Delete Profile.Feature.MAP_STORAGE and all its usages
storage
-
#24103 Map Store Removal: Delete GlobalLockProvider
storage
-
#24105 Map Store Removal: Rename Legacy* classes
storage
-
#24107 Map Store Removal: Revert deprecated modules in model/legacy and rename "legacy" to "storage"
storage
- #24148 Add config property to specify a list of truststores
-
#24202 Cache stampede after client invalidation
storage
- #24245 Parse default UserProfile configuration in the build time
-
#24250 Allow selecting attributes from user profile when managing token mappers
user-profile
- #24344 Enhance error logs and error events during UserInfo endpoint and Token Introspection failure
-
#24412 Accessibility of 2FA method selection
login/ui
-
#24422 UMA 2 not evaluating as expected when using permission tickets
authorization-services
-
#24424 Query on update the ADFS FederationMetadata.xml on the keycloak instead of delete and recreating the IDP config #24310
saml
-
#24567 Map Store Removal: Revert changes related to map store in test classes in base testsuite
storage
- #24668 Features versioning
-
#24793 Map Store Removal: Remove `LockObjectsForModification`
storage
- #24798 Add truststores to keycloak cr
-
#24860 Initialize Infinispan earlier in the build chain
dist/quarkus
-
#24926 Add polish translations
admin/ui
-
#24995 Avoid deprecated API usage in testsuite/integration-arquillian/tests/base
core
-
#25058 Add Polish Translations to Account UI
account/ui
-
#25074 Update Kerberos provider for user-profile
user-profile
-
#25075 Update SSSD provider for user-profile
user-profile
-
#25103 Remove product from server info
admin/ui
- #25113 Add a test for the LoadBalancerCheck
-
#25146 Decouple "factory" methods from the "provider" methods on UserProfileProvider implementation
user-profile
-
#25149 Replace the existing themes with the dynamic templates from user profile
user-profile
- #25236 Documentation about Australia Consumer Data Right security profile
- #25238 Add missing Arabic messages
- #25287 Upgrade Infinispan to 14.0.21.Final
-
#25288 Map Store Removal: Remove protostream dependency
storage
-
#25300 Deprecate offline session preloading
infinispan
-
#25308 Map Store Removal: Revert changes made to backchannelLogout
storage
-
#25309 Map Store Removal: Remove ResponseSessionTask
storage
-
#25314 Supporting OAuth 2.1 for confidential clients
oidc
-
#25315 Client policies : executor for enforcing DPoP
oidc
-
#25316 Supporting OAuth 2.1 for public clients
oidc
- #25328 Tests for client scopes/evaluate tab are missing
- #25375 Extra tests for realm roles
-
#25388 Enable concurrent remote operations for Infinispan
storage
-
#25403 Implements attributes field in KeycloakProfile interface
admin/client-js
-
#25404 Adapt incremental build for latest changes in themes module
ci
-
#25415 Describe how to use Infinispan Batch CRs for automation with the external Infinispan
storage
- #25416 Update UserProfileProvider.setConfiguration to accept UPConfig instead of String
- #25487 Add extra tests for realm-settings in admin-ui
-
#25637 Client policies: executor for validate and match a redirect URI
oidc
-
#25638 Keycloak native implementation of SD-JWT
core
- #25666 [Admin UI] Allow to customize built-in components administration UI via ConfiguredProvider
-
#25691 More info on UserProfileContext
user-profile
-
#25738 Tooltips improvements when configuring user profile attribute
user-profile
-
#25770 X509 client certificate login label extends out of form
login/ui
- #25823 Ability to declare a default "First broker login flow" per Realm
- #25872 Make the `user` attribute available to the `idp-review-user-profile.ftl` template
-
#25882 RealmResourceProvider is not working as expected since version 23.0.0
core
-
#25897 Admin UI: Show realm display name on welcome page
admin/ui
-
#25908 Could not format default value for log formats
dist/quarkus
-
#25915 Make more clear in the documentation that the wait time is only increased on multiples of the max number of failures
docs
- #25935 Create Infinispan metrics with labels instead of long metric names
- #25962 Missing localization of cs+sk messages
-
#25979 User profile attribute names with strange characters
docs
-
#25985 Enable verify-profile required action by default
user-profile
- #26068 Reduce internal unsupported options in the Keycloak HA documentation
- #26083 Change RHDG references to Infinispan
-
#26092 Do not use raw parameterized PropertyMapper
dist/quarkus
-
#26146 Migration docs for https://github.com/keycloak/keycloak/issues/15190
docs
-
#26172 Permanently lock users out after X temporary lockouts during a brute force attack
authentication
-
#26198 Comprehensive log for the LoggingDistTest and Quarkus IT
testsuite
-
#26220 Don't differentiate Windows for getting started
docs
-
#26223 Use `--http-max-queued-requests` option in Keycloak HA documentation
docs
-
#26241 Do not use general debug log level for tests
testsuite
- #26315 Fully remove reasteasy-core
-
#26320 Allow formating numbers when rendering attributes
user-profile
- #26325 Remove unused HttpResponse.setWriteCookiesOnTransactionComplete
- #26402 Improve wording in Concepts for configuring thread pools section in documentation
- #26416 Remove support for old cookie path
- #26430 Implement stricter controls at token endpoint for PKCE verification
- #26457 Remove support for multiple AUTH_SESSION_ID cookies
-
#26469 Documentation for verify-profile required action enabled by default
docs
-
#26485 Add missing Arabic translations
translations
-
#26489 Ability to have alternative default user-profile configuration
user-profile
-
#26530 Map Store Removal: Remove `RealmModel` from authorization services interfaces
storage
-
#26552 Do we need to hide "required" settings for email?
user-profile
- #26570 Upgrade liquibase to 4.25.1
-
#26585 Improve UX of read-only attributes
user-profile
-
#26587 Documentation for SuppressRefreshTokenRotationExecutor
oidc
-
#26589 Allow Case-Insensitive Search on Provider Info Page in Admin UI
admin/ui
-
#26598 Map Store Removal: deprecate model legacy module
storage
-
#26626 Brute force detection should issue event for temporary lockout
core
-
#26634 Documentation for default validation changes due user-profile enabled
docs
-
#26683 Remove explicitly set `lit-element` version
dist/quarkus
-
#26689 Update Maven dependency versions for docs
docs
-
#26701 Upgrade to Quarkus 3.7.1
dist/quarkus
- #26730 Add Multi-AZ Aurora DB to CI store-integration-tests
- #26776 Update documentation to use new Infinispan configuration options
-
#26781 Update HA guide about non-blocking probes
docs
-
#26810 Shorter lifespan for offline session cache entries in memory
storage
-
#26812 Upgrade to embedded Infinispan 14.0.24
storage
-
#26819 Use version specific tag for Keycloak images in the docs
docs
-
#26859 Upgrade to Quarkus 3.8
dist/quarkus
- #26898 User profile: Add regression test for select inputs
-
#26910 Keycloak Operator should add service-ca.crt to the truststore
operator
-
#26916 Upgrade to Quarkus 3.7.2
dist/quarkus
-
#26919 doc: add a clear mention in the documentation about the storage of the refresh and access token
docs
-
#26921 Use latest OLM version for Operator CI
testsuite
-
#26929 Ignore unrecognized truststore formats if `--truststore-paths` is a directory
dist/quarkus
- #26967 Aurora Postgres IT: Upload flaky and surefire test reports
-
#27036 Upgrade to Quarkus 3.7.3
dist/quarkus
- #27048 Add Amazon Aurora PostgreSQL to the list of tested databases
- #27078 Update Keycloak HA Guide new resource limit settings
- #27084 Remove the preview note from Keycloak's HA guide
- #27093 "Open ID Connect" in docs / UIs should be "OpenID Connect"
-
#27105 Add New User Registration Option on WebAuthn Authentication UI
authentication/webauthn
- #27121 Remove references to Quarkus docs and absolute URLs from HA Guide docs
- #27123 Use AWS JDBC Wrapper in CI tests
- #27125 Add warning about too long attribute values
-
#27143 Distinguish user registration action label from the security key registration action's one
authentication/webauthn
-
#27147 Replace "Security Key" with "Passkey" in WebAuthn UIs and their documents
authentication/webauthn
-
#27148 Allow overriding the default validators added to attributes
user-profile
-
#27169 Tweak the default memory request and limit in the Operator
operator
- #27190 a11y improvements on login page
-
#27226 Upgrade to Quarkus 3.7.4
dist/quarkus
-
#27238 Add option to clients to use lightweight access token
oidc
- #27280 Upgrade to Infinispan 14.0.25
-
#27281 Allow option of using client_id instead of id_token_hint with RP-initiated logout in brokered IDP config/call.
identity-brokering
- #27315 Change docker image to container image
-
#27324 Remove RHSSO product documentation from upgrading guide
docs
-
#27326 Edit Keycloak 24.0 release notes
docs
- #27327 Harmonize behaviour of different CertificateUtilsProvider implementations
- #27440 Edit Keycloak 23.x Release Notes
- #27452 Edit Keycloak 24 Upgrade guide
Bugs
-
#9871 Remove Infinispan workarounds introduced to prevent deadlocks
storage
-
#11178 Event for MISSING_REQUIRED_DESTINATION with idp brokering incorrectly says error is related to logout even for a login response
saml
-
#13080 Encoded token stored as KC_RESTART cookie uses weak algorithm- HS256
authentication
-
#13368 Issue when using DenyAuthenticator in direct-grant flow
authentication
-
#14448 Multiple failures in OfflineServletsAdapterTest (testServlet, testServletWithConsent, testServletWithRevoke)
testsuite
-
#14581 HTTP Redirect 303 to wrong URL (in case port is not 80) when trailing slash is not added
dist/quarkus
-
#14776 Mail verification isn't working for multiple accounts in one session (only on auto login by clicking the verification mail, not by logging in with the credentials)
authentication
-
#16260 Incorrect handling of OptionParserException in kcadm
admin/cli
-
#17155 UPDATED_PASSWORD user action shouldn't be triggered when login with linked IdP
user-profile
-
#17449 Removing the Realm ID and saving causes the realm to be vanished from the list of the realms
admin/api
-
#19183 token-exchange does apply clientScopes of the origin client
token-exchange
-
#19294 Error on starting keycloak when foldername contains ")" using kc.bat.
dist/quarkus
-
#19886 Allow configuration cookies with `SameSite=Strict` for better compliance with strict regulations and standards
authentication
-
#20304 When choosing resources in scope-based permission, multiple resource can be selected but only one will be visable
admin/ui
-
#20867 Control redirect after password reset
core
-
#21127 During password reset, the baseURL is not shown on the info page after browser restart
authentication
-
#21151 Realm import stack overflow
import-export
-
#21409 Brute Force Detection is disabled when updating frontenUrl via admin client
authentication
-
#21542 Context path missing in URL on OTP page to switch between QR code and manual code
core
-
#21730 v 22.0.0 - when creating a new realm the registration flow does not have terms and conditions step
core
-
#21951 Unable to use `<` as part of a password
admin/cli
-
#22082 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceClientSessionsMultipleNodes
storage
-
#22401 Common resources in Welcome page didn't resolve correctly
welcome/ui
-
#22431 Localization: Admin UI doesn't pick up message bundles from realms other than master
admin/ui
-
#22507 User profile attributes not localized in account console V3
user-profile
-
#22540 Description of "Configuring sources for Keycloak" inconsistent / misleading
docs
-
#22555 Docs: server_development/topics/identity-brokering.adoc
docs
-
#22660 Implementing custom ClientAuthenticator loses access to Client Secret Input Field in the Admin UI
admin/ui
-
#22691 Flaky test: org.keycloak.testsuite.forms.RecoveryAuthnCodesAuthenticatorTest#test03AuthenticateRecoveryAuthnCodes
authentication
-
#22836 Invalid redirect uri when identity provider alias has spaces
identity-brokering
-
#22904 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionAtSameNode
ci
-
#22958 KeycloakErrorHandler NullPointerException String.toLowe rCase() because message is null
authentication
-
#23023 Undocumented change in priority of X-Forwarded-* headers as of Quarkus distribution
core
-
#23056 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#testAllConcurrently
storage
-
#23217 NoSuchFileException with ${kc.home.dir} on Windows
dist/quarkus
-
#23229 Realm client update via PUT returns invalid registration_client_uri with duplicated client ID in address
admin/api
-
#23268 New Install with MySQL failing with REALM_SOCIAL_CONFIG ADD issue
storage
-
#23399 Audience is lost after refreshing a RPT
authorization-services
-
#23683 Default-Value in UI for krbPrincipalAttribute is error prone
admin/ui
-
#23699 Account v3 theme - Localization not working on account console
account/ui
-
#23786 Failure: FipsDistTest
ci
-
#23966 Group members are displayed incorrectly when using LDAP in READ_ONLY mode
admin/api
-
#24082 Selected locale is not taking into accoun in `keycloak.v3 account` theme
account/ui
-
#24141 LDAP user mapper for username: user appears twice in the GUI
ldap
-
#24144 Unable to locate entity descriptor: org.keycloak.examples.domainextension.jpa.Company
core
-
#24200 NPE in User Session Note mapper on Token Exchange
token-exchange
-
#24219 admin-fine-grained-authz + client authorization settings requires view-client role
admin/ui
-
#24323 Refresh request ignores scope parameter from refresh request
oidc
-
#24353 Keycloak operator tries to manipulate Secret which is not managed by Keycloak
operator
-
#24361 Adding scopes via registration_client_uri does not work when using Dynamic Client Registration
admin/api
-
#24369 UpdateUserLocaleAction does not trigger EventType.UPDATE_PROFILE event
user-profile
-
#24459 Keycloak fails to start when uninstalling custom provider
dist/quarkus
-
#24464 Tabbing is not working in forms inside dropdown
admin/ui
-
#24485 NullPointerException when key is not available in the database
oidc
-
#24506 Reopening 2 - CVE-2023-21971 - Update Connector/J to 8.0.33
dependencies
-
#24508 Deadlock when pre-loading remote sessions from external Infinispan
storage
-
#24595 Leaving Single Sign Out page open for too long and then confirming logout leads to error page
authentication
-
#24626 Upgrade testsuite to use SpringBoot 2.7
ci
-
#24651 Deleting a User or User Group might cause that all users suddenly get the permissions of the deleted user.
authorization-services
-
#24652 SAML decryption fails if keycloak.saml.deprecated.encryption flag is set
saml
-
#24718 Mapper Option "Add to access token" Toggled Off Despite Claim Added to Token
admin/ui
-
#24767 Improve LDAP Condition implementations
ldap
-
#24783 Keycloak Admin UI - Help text not localized in Realm Events Setting UI
admin/ui
-
#24923 Importing Keycloak breaks typescript in esModule
adapter/javascript
-
#24960 OpenAPI spec doesn't match the admin API
admin/api
-
#24961 Keycloak not able to handle multiple validating X509 certificates when public key are the same
saml
-
#24980 The `DefaultActionToken` serializes a JSON Object with duplicate keys
oidc
-
#24986 `getMultiPartFormParameters()` always returns `EmptyMultivaluedMap` after upgrade to Resteasy Reactive
core
-
#25001 Client redirect_uri check must be compared using exact string matching
oidc
-
#25016 Make password visibility css classes configurable for themes
login/ui
-
#25033 Typo in the balloon help of SAML Username Template Importer
core
-
#25041 Incomplete Spanish translations for Admin UI
translations
-
#25051 Unexpected Application Error when clicking "Cancel" on user creation page
admin/ui
-
#25054 Read Only Access of the realm users' "Role mapping" tab is broken for Admin Console
admin/ui
-
#25060 fix debug log string
core
-
#25078 Log Injection during WebAuthn authentication/registration
authentication
-
#25096 Meaning of briefRepresentation query parameter is inverted in GroupResource.getSubGroups
admin/api
-
#25110 User Profile attribute with "Options" shows options of another attribute if none set on it
user-profile
-
#25111 RealmAdminResource.getGroupByPathGroup does not work with space in path parameter
admin/api
-
#25173 Make sure username is lowercase when normalizing attributes
user-profile
-
#25183 NullPointerException thrown for UPConfig.getGroups()
user-profile
-
#25208 GH Actions -> Keycloak CI -> MSSQL docker images fails during startup
ci
-
#25231 CIBA and PAR are broken since 23.0.0 (NPE) when using http protocol
oidc
-
#25235 Unable to start after updating Docker container
dist/quarkus
-
#25290 Social Login Tests unable to retrieve Federated Access Token from user session
testsuite
-
#25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off
ldap
- #25322 Warning "Event object wasn't available in remote cache" when using remote store
-
#25392 Admin Console: Realm Dropdown should only show the realms the user has access to
admin/ui
-
#25417 Avoid keycloak-admin-client in UI to call admin console UI extension
admin/ui
-
#25423 Confusing error message by pr-backport.sh when not authenticated to gh
ci
-
#25433 Key provider UI issue while saving - RSA
admin/ui
-
#25449 Clean up translations for DE/EN/NL for a first test-run of Weblate
translations
-
#25451 Admin cli failing when adding roles to a 3rd group in a list
admin/cli
-
#25463 Unnecessary user profile metdata sent on user update
user-profile
-
#25475 User Profile: If required roles ("user") and reqired scopes are set, the required scopes have no effect
user-profile
-
#25502 Account v3 theme - theme.properties Custom theme scripts not loading
account/ui
-
#25515 Deleting an atribute from the UI is reseting the unmanaged attribute policy
user-profile
-
#25544 Post Logout Redirect URIs "+" behavior is inconsistent with other usages (i.e. Web Origins)
oidc
-
#25565 OpenAPI: POST for /admin/realms response is 201
admin/api
-
#25566 Failure in SSSDUserProfileTest.test05MixedInternalDBUserProfile
testsuite
-
#25584 iss not returned as query param in redirect to app when using "prompt=none" and user is not authenticated
oidc
-
#25601 OpenAPI: POST /admin/realms/{realm}/clients response is 201
admin/api
-
#25604 OpenAPI: Client authz endpoints without responses
admin/api
-
#25628 Translations missing in user details role mapping
admin/ui
-
#25633 Parsing of labels issue IDs doesn't work with colons and the "fixes" keyword
ci
-
#25636 "Disable realm?" displayed when disabling client
admin/ui
-
#25642 Failure in KeycloakDistConfiguratorTest's 'missingHostname' check
testsuite
-
#25649 OpenAPI: In ClientRepresentation the property oauth2DeviceAuthorizationGrantEnabled was not known by the API.
admin/api
-
#25656 OpenAPI: POST /admin/realms/{realm}/clients-initial-access response is 201
admin/api
- #25660 Incorrect version of the fix in release notes
-
#25677 Removing all group attributes no longer works with keycloak-admin-client (java)
admin/client-java
-
#25679 `/admin/realms/{realm-name}/ui-ext/realms` endpoint leaks realms the user doesn't have access to see
admin/ui
-
#25699 Flaky test Job URL missing on some runs
ci
-
#25704 Custom Validator is never executed when UserProfileContext is UPDATE_EMAIL
user-profile
-
#25714 Flaky test: org.keycloak.testsuite.adapter.servlet.OfflineServletsAdapterTest#testServlet
ci
-
#25731 /admin/realms/{realm}/groups Endpoint is slow
admin/api
-
#25746 Using kcadm.sh create components result to 400 Bad Request
admin/cli
-
#25752 [CI] Store Model Tests failures - UserSessionProviderOfflineModelTest, OfflineSessionPersistenceTest, UserSessionInitializerTest
storage
-
#25753 Backchannel logout token is missing the "exp" claim
oidc
-
#25783 Since 23, start-dev command line arguments parsing is buggy
dist/quarkus
-
#25789 User events: labels overlap content
admin/ui
-
#25827 admin ui uses hyphen instead of dot as realm attribute separator
admin/ui
-
#25853 Timeouts after upgrade of download action v4
ci
-
#25878 HTML emails in Catalan don't contain links
translations
-
#25883 ldap-group-mapper fails when empty member: attribute is present
ldap
-
#25891 Optimize handling of terms and conditions during registration
core
-
#25892 Test suite depends on artifacts built only when distribution profile is active
ci
- #25909 Keycloak HA Guide uses token for cross-site setup that expires
-
#25912 LDAP federation reports "Creating new LDAP Store..." on every login
ldap
-
#25927 UI crash after using breadcrumb group navigation during an active group search
admin/ui
-
#25934 On invalid submission, IdpUsernamePasswordForm sends back the user to the standard UsernamePasswordForm template
authentication
-
#25939 Declartive user profile. When multiple attributes with options validator are defined and 1 is selected on UI shown that 2 of them have values.
user-profile
-
#25951 Masthead tests fail often
admin/ui
-
#25961 Native SQL Schema names broken on MySQL
storage
-
#25977 No error message displayed when trying to add read-only attribute to some user in `Attributes` tab
user-profile
-
#25980 Force reauthentication is ignored during identity brokering when mapping between OIDC and SAML protocols
saml
-
#25981 GitHub Status check is green if the build fails
ci
-
#26021 `mvn clean` does not work in js directory
account/ui
-
#26032 Duplicate tooltip/label for refresh button on device activity page
account/ui
-
#26036 subgroups clickopen not working
admin/ui
-
#26040 Subgroups-check is incorrect, and therefore subgroups are not clickable
admin/ui
-
#26051 Name ID Format field is confusing for User Attribute Mapper For NameID
saml
-
#26052 Configure OTP Form regenerates Secret on reload
authentication
-
#26059 Attempting to update settings for realm with "dots" in the name fails due to client side validation
admin/ui
- #26060 Various Localization tab issues
-
#26075 Next time you start message references the wrong command
dist/quarkus
-
#26088 Rest custom JAX-RS resource in kc 23: Method not allowed
core
-
#26131 Localization: Realm overrides subtab
admin/ui
-
#26132 Localization: Effective message bundles subtab
admin/ui
-
#26148 Keycloak JavaScript CI: client_scopes_test.spec.ts
ci
-
#26156 A11y critical violation in ProviderId form field
admin/ui
-
#26168 KC_DB_DRIVER is not propagated properly
admin/cli
-
#26177 Invalidate authentication session on repeated OTP failures
authentication
-
#26180 Invalidate authentication session on repeated Recovery Code failures
authentication
-
#26228 With fine grained permissions enabled, the grouptree rights check is not working correctly
admin/ui
-
#26231 keycloak-admin-client missing recent changes to group query parameters
admin/client-js
-
#26236 Ensure community-maintained translations are not part of product build
account/ui
-
#26266 Importing Realm with declarative user profile attributes fails
user-profile
-
#26281 Incorrect example in the Keycloak operator configuration
operator
-
#26291 Workflow failure: FIPS IT - KcSamlEncryptedIdTest#testEncryptedElementIsReadableInDeprecatedMode
ci
-
#26295 Incomplete Chinese Translation for Login Page
translations
-
#26308 Error when migrating from a realm where the user profile component does not hold any entry in the configuration
user-profile
-
#26323 Reset credentials action fails when triggered from first broker login flow
identity-brokering
-
#26330 HTTP status code 413 Request Entity Too Large for large SAMLResponse since Keycloak 23
saml
-
#26334 Resource and permission titles missing for a new client
admin/ui
-
#26335 Bind flow modal broken
admin/ui
-
#26337 Write tests to cover binding a flow
testsuite
-
#26350 Fix more A11y violations
admin/ui
-
#26358 Apparently incorrect tooltip on "type" field for a "resource" in a client
admin/ui
-
#26363 Search dialog for authorization policy is wrong?
admin/ui
-
#26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode
ci
-
#26375 The role Unassign button enabled in admin console even if no roles are selected
admin/ui
-
#26383 Labels for WebAuthN missing in Account Console
account/ui
-
#26390 More A11y Violations Detected
admin/ui
-
#26400 Workflow failure: Admin UI E2E - realm_test.spec.ts
ci
-
#26407 Typo in disable dialog
admin/ui
-
#26409 Duplicate `key` for credentials on sign in page
account/ui
-
#26418 Failed to link identity broker to user with a verified email by IdP email verification flow
identity-brokering
-
#26420 Labels for WebAuthN Passwordless missing in Account Console
account/ui
-
#26427 Operator CSV uses wrong format for `createdAt` field
operator
-
#26452 Row remains selected when "cancel" clicked on deleting translation in the Localization/Realm Overrides tab
admin/ui
-
#26464 "Test connection" on LDAPS URI does not test TLS handshake
admin/api
-
#26468 SPI-truststore-file-type option appears to be invalid
docs
-
#26490 Update Keycloak sizing guide after change of default hashing configuration
core
-
#26507 Failed to link the user with an existing read-token role from the federation provider when AddReadTokenRoleOnCreate was enabled for the IdP.
storage
-
#26529 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode
ci
-
#26549 Mysterious settings changes due to Keycloak cluster changes
admin/ui
-
#26564 Issues related to IDNHomographValidator
user-profile
-
#26584 User details locale select broken in realm specific admin console
admin/ui
-
#26588 Infinite loop during X509 authentication
authentication
-
#26597 Keycloak UI meets "Internal Sever Error" after save "Refresh Token Max Reuse" number
core
-
#26604 Arc container is null
dist/quarkus
-
#26609 allow sending realm in request without changing the kc admin object
admin/client-js
-
#26612 Wrong delete messages in Realm overrides
admin/ui
-
#26618 CLIENT_ATTRIBUTES index idx_client_att_by_name_value no longer exists since KC 20 (postgres)
storage
-
#26631 Keycloak HA guide with blank and callout
docs
-
#26635 Account UI ships too much Beer in user attributes
user-profile
-
#26636 Immediately reflect flow binding status on flow definition page in Admin UI when binding an auth flow
admin/ui
-
#26643 Replace "message bundle" text to "translation" in realm overrides
admin/ui
-
#26649 PhantomJS does not send secure cookies over http://localhost
core
-
#26651 [keycloak.js] useNonce parameter is all-or-nothing
adapter/javascript
-
#26653 Disallow removing required filters when searching for effective message bundle.
admin/ui
-
#26665 Unable to modify access token lifespan at realm level. Keycloak stops working.
core
-
#26668 Wrong help for "Create initial access token" expiration field
admin/ui
-
#26686 Not possible to build documentation after quarkus upgrade
docs
-
#26697 When creating a user federation mapper changing the type doesn't change User Roles Retrieve Strategy
admin/ui
-
#26716 User Profile Applies Validation To Service Account Users
user-profile
-
#26727 Auto layout of authenticator flow graph only applies the second time
admin/ui
-
#26747 Tooltip for attribute name in user-profile configuration is incorrect
user-profile
-
#26750 Empty error message when validation issue due the PersonNameProhibitedValidator validation
user-profile
-
#26782 Accessing userinfo fails with CORS when token is expired or session is deleted
oidc
-
#26790 Workflow failure: Operator IT on OpenShift
ci
-
#26792 User profile 'uri' validator not working
user-profile
-
#26816 Keycloak server admin docs needs change with the new hashing iteration changes
docs
-
#26818 bug in operator example yaml
operator
-
#26826 Freemarker erroneously escapes/sanitizes URL in template.ftl (&)
login/ui
-
#26830 Duplicate "Refresh" buttons present in admin-ui
admin/ui
-
#26834 Disabling "Reset OTP" in "Reset credentials" flow throws error on "forgot password"
authentication
-
#26853 Fixing anchors in security apps guide in prod profile
docs
-
#26856 Remove custom user attributes section in server developer guide
user-profile
-
#26937 Once all default client scopes are deleted from the realm we can't create a new custom role.
core
-
#26941 When loading entries from a remote store at startup, no lifespan or expiry is set
core
-
#26951 Roles admin REST API for creating roles: Composite roles are expanded
admin/api
-
#26983 Group not found in list after creation
core
-
#27002 Refresh doesn't work in Localization/Effective message bundles
admin/ui
-
#27005 Unable to approve/deny permission requests
account/ui
-
#27031 Having read-only attributes stored at a user leads to validation warning on every login
user-profile
-
#27095 Cache Keys for Group pagination and other entries cannot be invalidated and updated
infinispan
-
#27120 Microsoft social login failure
testsuite
-
#27133 Workflow failure: Keycloak CI - Store IT (aurora-postgres)
ci
-
#27137 Users with fine-grained permissions can not create a user
admin/ui
-
#27140 Locale selector is unnecessarily visible without rights to locales
admin/ui
-
#27162 Default locale is set to null when not explicitly choosing a locale
admin/ui
-
#27173 Newly created authentication subflow is always disabled
admin/ui
-
#27234 Cannot update email in account console with `update-email` feature enabled
account/ui
-
#27243 Account console not working when lightweight-access-tokens used
oidc
-
#27271 AuthorityKeyIdentifierExtension should be calculated from caCert (if it present) in generateV3Certificate, not from subjPubKeyInfo
core
-
#27284 FolderTheme does not support Locales with extensions
core
-
#27290 AWS JDBC driver throws ConcurrentModificationException
storage
-
#27297 Check for duplicated usernames and emails when Login with email option is enabled
user-profile
-
#27316 Server admin guide not building downstream due to missing IDs
docs
-
#27337 Workflow failure: Admin UI E2E - realm_settings_user_profile_enabled
admin/ui
-
#27344 Secure Redirect URI executor issues
oidc
-
#27345 Workflow failure: Keycloak CI - OAuth 2.0 Grant Type SPI
ci
- #27406 JavaDocs generation broken after removal of resteasy-core
- #27409 Apply remote store workaround also for configuration via CLI options
-
#27412 OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor
oidc
v23.0.7
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
-
#26810 Shorter lifespan for offline session cache entries in memory
storage
Bugs
-
#22431 Localization: Admin UI doesn't pick up message bundles from realms other than master
admin/ui
-
#23786 Failure: FipsDistTest
ci
-
#25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off
ldap
-
#25731 /admin/realms/{realm}/groups Endpoint is slow
admin/api
-
#25883 ldap-group-mapper fails when empty member: attribute is present
ldap
-
#25912 LDAP federation reports "Creating new LDAP Store..." on every login
ldap
-
#25961 Native SQL Schema names broken on MySQL
storage
-
#26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode
ci
-
#26529 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode
ci
-
#26826 Freemarker erroneously escapes/sanitizes URL in template.ftl (&)
login/ui
-
#27120 Microsoft social login failure
testsuite
v23.0.6
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Bugs
v23.0.5
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
v23.0.4
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
v23.0.3
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
v23.0.2
Highlights
Non-blocking health check for load balancers
A new health check endpoint available at /lb-check
was added.
The execution is running in the event loop which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue.
This behavior is useful, for example, in multi-site deployment where we do not want to fail over to the other site under heavy load.
The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.
This endpoint is not available by default.
To enable it, run Keycloak with feature multi-site
.
Proceed to Enabling and disabling features guide for more details.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
Bugs
-
#24652 SAML decryption fails if keycloak.saml.deprecated.encryption flag is set
saml
-
#24986 `getMultiPartFormParameters()` always returns `EmptyMultivaluedMap` after upgrade to Resteasy Reactive
core
-
#25001 Client redirect_uri check must be compared using exact string matching
oidc
-
#25010 Bug: KC_DB_USERNAME environment variable is causing a crash in latest version
dist/quarkus
-
#25051 Unexpected Application Error when clicking "Cancel" on user creation page
admin/ui
-
#25108 Documentation Inconsistency about Open Banking(Finance) Brasil FAPI security profile
docs
-
#25124 If a client does not have a URL the applications page in the account console links to about:blank
account/ui
-
#25173 Make sure username is lowercase when normalizing attributes
user-profile
-
#25183 NullPointerException thrown for UPConfig.getGroups()
user-profile
-
#25307 Keycloak instance `HasErrors` true after update: `More than 1 secondary resource related to primary`
operator
v23.0.1
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Bugs
-
#23841 Users page with LDAP User Storage Provider Cannot read properties of undefined
admin/ui
-
#23872 Attempt to request storage access in Firefox
oidc
-
#24261 „Unlink users“-Option greyed out in ldap federation
admin/ui
-
#24958 Error handling in admin console when update of user fails due the 400 HTTP error code
admin/ui
-
#24961 Keycloak not able to handle multiple validating X509 certificates when public key are the same
saml
-
#24984 Operator is missing CRDs metadata in CSV
operator
-
#25008 Group search when creating user
admin/ui
-
#25022 NPE in checkAndBindMtlsHoKToken on Token Refresh when using SuppressRefreshTokenRotationExecutor and Certificate Bound Token
oidc
v23.0.0
Highlights
OpenID Connect / OAuth 2.0
FAPI 2 drafts support
Keycloak has new client profiles fapi-2-security-profile
and fapi-2-message-signing
, which ensure Keycloak enforces compliance with
the latest FAPI 2 draft specifications when communicating with your clients. Thanks to Takashi Norimatsu for the contribution.
DPoP preview support
Keycloak has preview for support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP). Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions.
More flexibility for introspection endpoint
In previous versions, introspection endpoint automatically returned most claims, which were available in the access token. Now there is new
switch Add to token introspection
on most of protocol mappers. This addition allows more flexibility as introspection endpoint can return different
claims than access token. This is first step towards "Lightweight access tokens" support as access tokens can omit lots of the claims, which would be still returned
by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token,
so the behavior should be effectively the same by default after the migration. Thanks to Shigeyuki Kabano for the contribution.
Feature flag for OAuth 2.0 device authorization grant flow
The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default. Thanks to Thomas Darimont for the contribution.
Authentication
Passkeys support
Keycloak has preview support for Passkeys.
Passkey registration and authentication are realized by the features of WebAuthn. Therefore, users of Keycloak can do passkey registration and authentication by existing WebAuthn registration and authentication.
Both synced passkeys and device-bound passkeys can be used for both Same-Device and Cross-Device Authentication. However, passkeys operations success depends on the user8217;s environment. Make sure which operations can succeed in the environment. Thanks to Takashi Norimatsu for the contribution and thanks to Thomas Darimont for the help with the ideas and testing of this feature.
WebAuthn improvements
WebAuthn policy now includes a new field: Extra Origins
. It provides better interoperability with non-Web platforms (for example, native mobile applications).
Thanks to Charley Wu for the contribution.
You are already logged-in
There was an infamous issue that when user had login page opened in multiple browser tabs and authenticated in one of them,
the attempt to authenticate in subsequent browser tabs opened the page You are already logged-in
. This is improved now as
other browser tabs just automatically authenticate as well after authentication of first browser tab. There are still
corner cases when the behaviour is not 100% correct, like the scenario with expired authentication session, which is then
restarted just in one browser tab and hence other browser tabs won8217;t follow automatically with the login.
So we still plan improvements in this area.
Password policy for specify Maximum authentication time
Keycloak supports new password policy, which allows to specify the maximum age of an authentication with which a password may be changed by user without re-authentication. When this password policy is set to 0, the user will be required to re-authenticate to change the password in the Account Console or by other means. You can also specify a lower or higher value than the default value of 5 minutes. Thanks to Thomas Darimont for the contribution.
Deployments
Preview support for multi-site active-passive deployments
Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures. This release adds preview-support for active-passive deployments for Keycloak.
A lot of work has gone into testing and verifying a setup which can sustain load and recover from the failure scenarios. To get started, use the high-availability guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.
Adapters
OpenID Connect WildFly and JBoss EAP
OpenID Connect adapter for WildFly and JBoss EAP, which was deprecated in previous versions, has been removed in this release. It is being replaced by the Elytron OIDC adapter,which is included in WildFly, and provides a seamless migration from Keycloak adapters.
SAML WildFly and JBoss EAP
The SAML adapter for WildFly and JBoss EAP is no longer distributed as a ZIP download, but rather a Galleon feature pack, making it easier and more seamless to install.
See the Securing Applications and Services Guide for the details.
Server distribution
Load Shedding support
Keycloak now features http-max-queued-requests
option to allow proper rejecting of incoming requests under high load.
For details refer to the production guide.
RESTEasy Reactive
Keycloak has switched to RESTEasy Reactive. Applications using quarkus-resteasy-reactive
should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPI8217;s that depend directly on JAX-RS API should be compatible with this change. SPI8217;s that depend on RESTEasy Classic including ResteasyClientBuilder
will not be compatible and will require update, this will also be true for other implementation of the JAX-RS API like Jersey.
User profile
Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome.
If you find any issues or have any improvements in mind, you are welcome to create Github issue,
ideally with the label area/user-profile
. It is also recommended to check the Upgrading Guide with the migration changes for this
release for some additional informations related to the migration.
Group scalability
Performance around searching of groups is improved for the use-cases with many groups and subgroups. There are improvements, which allow paginated lookup of subgroups. Thanks to Alice for the contribution.
Themes
Localization files for themes default to UTF-8 encoding
Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.
See the migration guide for more details.
Storage
Removal of the Map Store
The Map Store has been an experimental feature in previous releases. Starting with this release, it is removed and users should continue to use the current JPA store. See the migration guide for details.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
-
#23155 [WebAuthn] origin validation not support for non-Web platforms
core
Enhancements
-
#431 Remove Wildfly/EAP OIDC and SAML adapter downloads
web
-
#505 Quickstarts - Wildfly upgrade and README cleanup
quickstarts
-
#510 SAML quickstart - provisioning of SAML adapter via Galleon
quickstarts
-
#9318 User profile configuration API is incorrectly typed
docs
-
#10128 Improve failed test behaviour
operator
-
#10620 Internationalized Domain Names in email address
user-profile
- #10713 Update the server to use RESTEasy Reactive
-
#10803 Persist session in JDBC store without using external infinispan cluster
storage
-
#11668 Declarative User Profile: weird behaviour in Account Management Console
user-profile
-
#12406 Remove "You are already logged-in" during authentication
authentication
- #14009 CreatedTimestamp on REST import not used
-
#14165 Cannot refresh RPT tokens
authorization-services
-
#14400 Add proxy options to Keycloak CR
operator
- #15018 Enhancements around proxy and hostname configuration
-
#15072 Allow setting a help text to an attribute
user-profile
-
#15109 Refactor patch-sources.sh used by the Operator
operator
-
#17258 Data too long for column 'DETAILS_JSON'
storage
-
#20343 message bundles are not included in the realm export
import-export
- #20584 FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
- #20695 Add support for single-tenant in Microsoft Identity Provider
-
#20794 Can we simplify TokenManager.getRefreshExpiration() and TokenManager.getOfflineExpiration()?
oidc
-
#20884 [Admin Console v2] Policy creation at Permissions screen missing
admin/ui
- #21073 Identity providers: pagination in admin REST API
-
#21154 Allow existing mappers for Custom Identity Providers
identity-brokering
- #21181 Add FAPI 2.0 security profile as default profile of client policies
- #21182 Enhancing Pluggable Features of Token Manager
-
#21183 More flexibility for Introspection endpoint
oidc
- #21200 DPoP support 1st phase
-
#21444 Set `client_id` when using `private_key_jwt` with OIDC IdP
identity-brokering
- #21945 Release notes for FAPI 2
-
#22034 Keycloak, javascript lib to not use the escape() function
adapter/javascript
-
#22215 DPoP verification in UserInfo endpoint
oidc
- #22318 Allow overriding Account Console resources for full control and backwards compatibility
-
#22372 Expand Group providers to allow for paginated lookup of subgroups
storage
-
#22725 Do not initialize barrier build items for deployment
dist/quarkus
-
#22868 Clarification on the tooltip of option "Validate Password Policy" of LDAP provider
admin/ui
-
#23194 Add regex support in 'Condition - User attribute' execution
authentication
- #23340 Implement load shedding for RESTEasy reactive
-
#23527 Better usability when disabling user profile and loosing the previous cofiguration
user-profile
-
#23891 Add feature flag for OAuth 2.0 device authorization grant flow
oidc
-
#24024 User profile tweaks in registration forms
user-profile
-
#24072 Lots of parameters related to identity brokering uses `providerId` when they expect `providerAlias`
identity-brokering
-
#24273 Add a property to the User Profile Email Validator for max length of the local part
user-profile
-
#24278 Transient users: documentation
core
-
#24387 Move some UserProfile and Validation classes into keycloak-server-spi
user-profile
-
#24494 Transient users: Consents
core
-
#24535 Moving UPConfig and related classes from keycloak-services
user-profile
- #24844 Add High Availability Guide to Keycloak's main repository
-
#24912 Add Galleon layer metadata to the SAML Galleon feature-pack
adapter/jee-saml
Bugs
-
#468 Cant build it
quickstarts
-
#503 Automate Keycloak version replacement
quickstarts
-
#508 set-version script does not update package(-lock).json files in js and nodejs quickstarts
quickstarts
-
#515 [Keycloak Quickstarts CI failure] loginToAdminConsole method fails in ArquillianSysoutEventListenerProviderTest.testEventListenerOutput due to Unable to locate element: {"method":"css selector","selector":"#username"} exception
quickstarts
-
#8939 PAR fails to authenticate for public client
oidc
-
#9004 Access Token claims not imported using OpenID Connect v1.0 Identity Provider Attribute Importer Mappers
oidc
-
#10710 Rollup.js complains about the use of eval in one of keycloak.js's dependencies
adapter/javascript
-
#11699 Under heavy load, DefaultBruteForceProtector blocks the whole system
authentication
-
#12062 Declarative User Profile export
user-profile
-
#12171 Inconsistent authorization behavior when exporting data from a realm
authorization-services
-
#14134 [keycloak 18] cannot import users with correct ID in partial import
admin/api
-
#16379 Inconsistent handling of parenthesis in auth flow name
admin/api
-
#16526 Token introspection response does not follow RFC6479 "scope" parameter format
oidc
-
#19093 The create new user page requires the admin user to be given the "Manage-Realm" role in order to see the user profile attributes in the create new user page
admin/api
-
#19125 kcadm do not update defaultGroups
docs
-
#19154 Non working API docs link
docs
-
#19555 When update-email feature is enabled, changing emails two times in a row causes unintuitive behaviour
authentication
-
#20135 Searching for multiple types in the Events section gives an error
admin/client-js
-
#20218 Role mappers must return a single value when they are not multivalued
oidc
-
#20316 Email pattern is not compliant
account/api
-
#20453 Admin UI incredibly slow with 300 realms
admin/api
-
#20537 [Declarative User Profile] OIDCAttributeMapperHelper throws NumberFormatException for optional user attributes
user-profile
-
#20763 Flaky test: org.keycloak.testsuite.admin.authentication.FlowTest#testAddRemoveFlow
ci
-
#20830 Token-exchange is not working for OpenID Connect v1.0 provider in KC 21.1.1
token-exchange
-
#20852 [Declarative User Profile] Attributes are created as required by default but switch is set to "not required"
user-profile
-
#20885 Key length is limited to 4000 characters
storage
-
#21010 Cannot display 'Authentication Flows' screen when a realm contains more than ~4000 clients
storage
-
#21123 NPE in getDefaultRequiredActionCaseInsensitively
admin/api
-
#21236 Keycloak Event clientId is null when ever a logout event is fired.
core
-
#21555 Listing realms due to realm drop-down
admin/ui
-
#21660 Wrong convert timestamp to date
account/ui
-
#21779 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldWorkWithScriptAuthenticator
authentication
-
#21780 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldFailWithScriptAuthenticator
authentication
-
#21797 DN with RDN that contains trailing backslash is imported incorrectly into Keycloak
ldap
-
#21805 Missing labels account console
account/ui
-
#21818 DN with RDN that contains trailing space is imported incorrectly into Keycloak
ldap
-
#21830 Operator doesn't pass on system property 'jgroups.dns.query' to Keycloak but an env variable, leading to a warning in the log
operator
-
#22143 WatchedSecretsTest.testSecretChangesArePropagated error in OCP
ci
- #22177 Missing client_id validation match when authenticating client with JWT
-
#22191 Verification of iss at refresh token request
oidc
-
#22332 Selecting resource on resource based permission gives error
admin/ui
-
#22337 kc.sh errors if using characters like semicolon inside the arguments
docs
-
#22375 Possible NullPointerException
core
-
#22395 Email sending fails when SPI truststore is configured and hostnameVerification set to 'ANY'
core
-
#22432 inputOptionLabels is not used by Admin UI
admin/ui
-
#22583 Fine grained permissions not rendering
account/ui
-
#22638 SAML AdvancedAttributeToRoleMapper does not allow predicate evaluation on same Array Attribute
saml
-
#22814 user search with "q" parameter ignores keys of length 1 and returns all users
admin/api
-
#22818 inputOptionLabels is not used by Account UI v3
account/ui
-
#22890 Keycloak 22.0.1: NPE in Edit Identity Provider Mapper on second Save
admin/api
-
#22937 ProviderConfigProperty.MULTIVALUED_LIST_TYPE not working in FormAction
admin/ui
-
#22988 Cache stampede after realm cache invalidation
infinispan
-
#23044 Docs: server_admin/topics/sessions/transient.adoc
authentication
-
#23128 Regex defect in federation script federation-sssd-setup.sh
dist/quarkus
-
#23173 crypto/elytron package has several bugs
core
-
#23180 TypeError in user profile admin-ui
admin/ui
-
#23253 CLI args not recognized when running Quarkus dev mode
dist/quarkus
-
#23255 Several help text messages missing in saml identity provider
admin/ui
-
#23404 Cannot assign client roles to a user when a realm contains more than ~4000 clients
storage
-
#23444 After the recent switch to resteasy-reactive we are unable to use resteasy-classic or jersey jax-rs clients.
dependencies
-
#23582 Join group screen does not show child groups without filters
admin/ui
-
#23616 invalid tag in .ftl file
user-profile
-
#23692 Genetated access token exception then $ sign in client name
core
-
#23733 OpenAPI spec doesn't match the admin API
admin/api
-
#23753 Insufficient guard against path traversal GzipResourceEncodingProvider
core
-
#23789 Can not create attribute group before setting/removing an annotation
user-profile
-
#23795 Spelling errors in TokenManager.java
oidc
-
#23970 Keycloak does not export/import userprofile data when exporting the realm
user-profile
-
#24032 Group attributes are not saved if there are two attributes with the same key
admin/ui
-
#24035 Admin UI: Group details page is not updated by group list dropdown actions
admin/ui
-
#24067 Duplicate attribute groups show in list in UserProfile in admin ui
admin/ui
-
#24077 Internal server error when no firstName and lastName added on the user with User Profile Disabled and Verify Profile Enabled
user-profile
-
#24096 Document or avoid breaking change in UserSessionModel
core
-
#24160 HTTP/2 - Last parameter of POST form data contains 0x00 byte in some configurations.
core
-
#24183 Username now shown when creating a user and edit username is not allowed
user-profile
-
#24187 Admin UI group view shows attributes of previously viewed group
admin/ui
-
#24293 b.map is not a function error when LDAP server is offline
core
-
#24420 User profile behaves different in keycloak 22.0.5
user-profile
-
#24453 Email-verified checkbox not visible anymore when user profile is enabled
admin/ui
-
#24455 NPE when logging in with TransientUser
storage
-
#24458 Unfriendly error message when user-storage provider not available
admin/ui
-
#24487 show/hide password in clear text button visible for hiden field in "forgot password" flow
login/ui
-
#24547 DPoP advertised on OIDC Well Known Endpoint even though DPoP feature is not enabled (preview feature)
oidc
-
#24551 the `./kc.sh tools completion` command cannot be recognized correctly
admin/cli
-
#24672 Basic auth is not RFC 2617 compliant
authentication
-
#24697 User cannot update profile when some invalid attribute invisible to him is present on his profile
user-profile
-
#24766 non-functioning session persistence when using JDBC over Infinispan
infinispan
-
#24792 Invalid redirect_uri if it contains uppercase letters
authentication
-
#24970 `jwt-decode` is being bundled into Keycloak JS
admin/client-js
v22.0.5
v22.0.4
v22.0.3
v22.0.2
v22.0.1
v22.0.0
v21.1.2
v21.1.1
v21.1.0
v21.0.2
v21.0.1
v21.0.0
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.